I’ve been on the road a bit lately, and noticed discussions keep working around to the general health of our industry. I’m not sure whether we’re good or just lucky, but we security folk find ourselves in the middle of a maelstrom of activity. And that will only accelerate over the next week, as many of us saddle up and head to San Francisco for the annual RSA Conference. We’ve been posting our RSA Conference Guide on the RSA Conference blog (are they nuts?) and tomorrow we’ll post our complete guide with all sorts of meme goodness.

The theme of this year’s Disaster Recovery Breakfast is be careful what you wish for. For years we have wanted more internal visibility for security efforts. We wanted to engage with senior management about why security is important. We wanted to get more funding and resources to deal with security issues. But now it’s happening. CISO types are being called into audit committee meetings and to address the full board (relatively) frequently. Budget is being freed up, shaken loose by the incessant drone of the breach of the day. We wanted the spotlight and now we have it. Oh crap.


And investors of all shapes and sizes want a piece of cybersecurity. We’ve been engaged in various due diligence efforts on behalf of investors looking at putting money to work in the sector. You see $100MM funding rounds for start-ups. WTF is that about? A friend told me his successful friends call him weekly asking to invest in security companies. It’s like when you get stock tips from a cabbie (or Uber driver), it’s probably time to sell. That’s what this feels like.

But security will remain a high-profile issue. There will be more breaches. There will be additional innovative attacks, probably hitting the wires next week, when there is a lot of focus on security. Just like at Black Hat last year. Things are great, right? The security juggernaut has left the dock and it’s steaming full speed ahead. So why does it feel weird? You know, unreal?

Part of it is the inevitable paranoia of doing security for a long time. When you are constantly trying to find the things that will kill you, it’s hard to step back and just appreciate good times. Another part is that I’ve lived through boom and bust cycles before. When you see low-revenue early-stage start-ups acquired in $200MM+ and $50MM+ funding rounds for, you can’t help but think we are close to the top of the boom. The place to go from there is down. Been there, done that. I’m still writing off my investment tax losses from the Internet bubble (today is Tax Day in the US).

But you know what? What’s the use in worrying? I’m going to let it play out and do a distinctly atypical thing and actually enjoy the boom. I was too young and naive to realize how much fun the Internet boom was on the way up. I actually believed that was the new normal. Shame on me if I can’t enjoy it this time around.

I’ll be in SF next week with a huge smile on my face. I will see a lot of friends at RSAC. Rich, Adrian, and I will offer a cloud security automation learning lab and JJ and I will run a peer-to-peer session on mindfulness. I’ll have great conversations with clients and I’m sure I’ll fill the pipeline for the next couple months with interesting projects to work on. I’ll also do some damage to my liver. Because that’s what I do.

These halcyon days of security will end at some point. There is no beanstalk that grows to the sky. But I’m not going to worry about that now. I’ll ride through the bust, whenever it comes. We all will. Because we’re security people. We’ll be here when the carpetbaggers have moved on to the next hot sector promising untold riches and easy jobs. We’ll be here after the investors doing stupid deals wash out and wonder why they couldn’t make money on the 12th company entering the security analytics business. We’ll be here when the next compliance mandate comes and goes, just like every other mandate.

We’ll be here because security isn’t just a job. It’s a calling. And those who have been called ride through the booms and the busts. Today is just another day of being attacked by folks who want to steal your stuff.


Photo credit: “Explosion de ballon Polyptyque“_ originally uploaded by Mickael

Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Slap in the face: Part of the cellphone security model is locking and/or remotely wiping stolen cellphones. Allowing owners to control transfer of ownership makes stolen phones are almost worthless, and should discourage phone theft. But a giant case of insider fraud at AT&T barely made news last week, because it was positioned in the press as just another data breach. The real story is that a handful of employees in foreign markets accessed customer accounts to allow the transfer and activation of stolen phones. What makes the story so painful is that the criminal organization which got its mules into AT&T profited, the US government got the cost of its investigation covered by the $25M fine, and AT&T enjoyed 500k or so new subscribers on stolen phones and a tax write-down on the fine. The slap is to that people who had phones stolen get worthless “credit monitoring”, while FCC chair Tom Wheeler sprays perfume onto this steaming pile by claiming this is a victory for privacy – which implies the insiders actually stole personal information, rather than just transferring phone ownership. – AL
  2. Lay off my forensicators: In what appears to be another example of a company with too many lawyers, one company is sore another company hired a bunch of their people. MasterCard is suing Nike over former MC employees allegedly taking ‘proprietary’ network configurations to their new employer. But the hook in the suit is that some service providers were now working with Nike instead of MC. So apparently we are not in a free-market economy and service providers have become indentured servants to their clients. Bah. Too many damn lawyers. There has to be a better way to handle this. If they wanted to cut down employee churn, perhaps they could make it more interesting and attractive for employees to stick around. And there isn’t much you can do if an employee leaves, taking their multi-decade relationships with service providers. But when you have lawyers, evidently you need to lawyer up. – MR
  3. You’re the product: It’s not a question of whether your emails are tracked – Wired Magazine explains a browser tool to detect common email tracking elements, nicely illustrating that the only question is by whom and how many firms track each email you receive or send. It’s not uncommon to receive email with several trackers embedded – I get some with a half dozen. In some cases the trackers are added unbeknownst to the sender, instead tacked on by service providers. Most email providers earn money by tracking you, and every marketing manager running a ‘campaign’ demands to know not just who – but how – people are reading their precious content, so pretty much every email is tracked. Be it a browser or a dedicated mail tool, these email viewers don’t offer any insight into what’s being requested, by who, or how much data they pull out. Of course not, because that might interfere with their the ability to monetize you. The web pages you visit are far worse: even the Wired web page for that article serves fourteen trackers from sites you didn’t visit and which don’t serve the content you requested. They are solely to track what you do and how you do it, and that data is likely shared and resold yet again. The tools listed in this Wired article – such as UglyMail – lift just one veil obscuring the horrors underneath. If you really want to see – and control – what your email client and browsers transmit, get an outbound firewall to detect and filter. Remember, if you’re not paying, you’re the product. – AL
  4. Minority Security Report: One of the hot hot hot areas of security for 2015 is insider threat detection. These new security analytics tools look at a bunch of data and have means to determine when an employee is doing something that puts corporate data at risk. It turns out these technologies have been under development for a while for other use cases as well. For instance JP Morgan has a system that looks for signs that a trader is going to go rogue. Evidently they’ve profiled and found patterns that indicate an employee is going to do bad stuff. So they can then put the employee under watch. Is this a slippery slope? Yes and no. There is nothing wrong with monitoring an employee’s behavior if they show indicators of doing something bad for the organization. But how do you deal with false positives? And could the tools be used to curry favor for political purposes within the organization? I guess we should expect the equivalent of the Salem Witch Trials at some point. – MR
  5. Any time now: In 1999 I saw my first television ad proclaiming the amazing benefits of chip-based credit cards, and how they would protect customers and banks from fraud. It was the “Internet Age”, these cards looked Star Trek cool, and I wanted one. Too bad: My bank didn’t carry them. And even if they did, none of the merchants used the chip-based capabilities to counter card cloning. Fast forward to today, 16 frigging years later, and it’s still the same. My bank, sadly, still does not issue EMV-based credit cards. They do have a plan to roll them out, oh, sometime in 2016. So while I think it’s beyond pathetic that food retailers have asked for an extension on the EMV deadline – which shifts card fraud liability onto merchants who do not comply – I get it. It’s not just that they have been dragging their feet, but banks have been dragging as well. But honestly, the only way these cards can supplant magstripes in the US is for the card brands to not extend the deadline and to shift liability. When the financial incentive hits, we’ll see action. 16 years is enough warning. – AL
  6. Not a bad thing: Andreas Gal, Mozilla CTO, offers an interesting rant on limited access to Google search data available to other search engines. Over the last decade search engines have used user query data, more than crawling the Internet, to refine their own search results. Other search engines, ISPs, and telcos used to – ahem – collect user search data entered into Google and leverage that information. The crux of Andreas’ rant is that Google started encrypting its search strings, so only Google has access to user queries. But this is exactly what I want as a user – that the information I entrust ti Google not be shared. I want them to encrypt it and keep it to themselves. Further, this is part of Google’s moat, born from early technical advantages and the “network effect” of providing a service people really like, which is a good thing which Google earned. It requires other firms to innovate to attract users – and to do something unique or better before they can assail Google’s moat. Plus, I think Andreas missed that the embedded search bars in browsers like Firefox offer users a feature they do take advantage of: easy switching between search engines when they don’t like the results from their default option. Only vendors see this as a turf war; users see the value in both privacy and different results from different search tools. – AL